Re: from / to /usr/: a summary
* Philipp Kern <trash@philkern.de> [111227 04:04]:
> > As you pointed out so nicely: modules_disabled is only a replacement if
> > you have a custom initramfs and do not allow that to be modified
> > automatically. So from the point of the original discussion,
> > modules_disabled is no solution.
>
> You just stuff a file into /etc/initramfs-tools/local-bottom and regenerate the
> initramfs. I think that's much less effort than recompiling the kernel with
> the right bits built-in.
Building a custom kernel is almost no efford at all. Building a minimal
one is a bit more efford.
But that part is exactly the same as needed for creating a
local-bottom: You have to know which modules you need to load before
disabling modules.
And what use is a /etc/initramfs-tools handling if you cannot create the
initramfs on the system or you would defeat the security?
You could argue as well that people wanting a kernel without initramsfs
have no problem with /usr to be mounted early, they just have to write
some parts into the correct part of /etc/rcS to have /usr mounted before
anything else is done.
> I'll grant the "boot the kernel from the outside" bit, but then I could just
> kexec into my new kernel, if the admin wasn't careful enough.
Kexec will of course not work. Otherwise there was something done
horribly wrong (like forgetting to patch out {k,}mem).
Reply to: